Summary
Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets
Impact
An attacker who can cause a developer to visit a web page while nhost dev is running can use JavaScript from that page to send cross-origin GraphQL requests to the local Nhost configserver. The attacker can read local development secrets and configuration, including Hasura admin secrets, JWT signing keys, webhook secrets, Grafana credentials, and custom environment variables stored in .secrets. The attacker can also mutate the local .secrets file, which can alter subsequent local development behavior and potentially poison local configuration consumed by services.
This is not a hosted-production unauthenticated endpoint vulnerability; it affects the local developer environment. The realistic attacker model is a malicious web page, local unprivileged process, or same-network process that can reach the developer's local configserver route while the development stack is running.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-47671 has a CVSS score of 5.4 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260518172022-e407511627d2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Addressed in nhost/nhost#4302 with three layered controls:
- CORS restricted to the dashboard origin.
cors.Default()incli/cmd/configserver/configserver.gois replaced bycorsMiddleware(), which uses anAllowOriginFuncdriven bydashboardOriginRe = ^https?://([^./]+\.dashboard\.local\.nhost\.run|local\.dashboard\.nhost\.run)(:\d+)?$. Arbitrary origins receive noAccess-Control-Allow-*headers and are rejected by browsers. The allowlist is locked in bycli/cmd/configserver/configserver_test.go. - Unguessable per-project app ID. The fixed zero UUID is replaced by a UUIDv4 generated on first
nhost dev, persisted to.nhost/app_id(mode0600) bycli/clienv/appid.go, and threaded viaNHOST_APP_IDinto the configserver container andNEXT_PUBLIC_NHOST_APP_IDinto the dashboard. The configserverserveaction validates the value withuuid.Parseat startup. Queries against any other app ID resolve to no app. - In-memory secret redaction with reconciling writes.
cli/cmd/configserver/local.goaddsloadSecretsRedacted, which substitutes every secret value with<placeholder-from-local-configserver-substituted-for-real-secret>before secrets enter the graph store, soappSecretsand any other read path return placeholders.UpdateSecretsreconciles incoming mutations against the on-disk.secretsfile, placeholder values preserve the on-disk value, only real new values are written, so a caller that has not seen the real secret cannot overwrite it with a known string. Coverage incli/cmd/configserver/local_test.go.
Frequently Asked Questions
- What is CVE-2026-47671? CVE-2026-47671 is a medium-severity missing authentication for critical function vulnerability in github.com/nhost/nhost (go), affecting versions < 0.0.0-20260518172022-e407511627d2. It is fixed in 0.0.0-20260518172022-e407511627d2. A critical operation is accessible without requiring any authentication.
- How severe is CVE-2026-47671? CVE-2026-47671 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/nhost/nhost are affected by CVE-2026-47671? github.com/nhost/nhost (go) versions < 0.0.0-20260518172022-e407511627d2 is affected.
- Is there a fix for CVE-2026-47671? Yes. CVE-2026-47671 is fixed in 0.0.0-20260518172022-e407511627d2. Upgrade to this version or later.
- Is CVE-2026-47671 exploitable, and should I be worried? Whether CVE-2026-47671 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-47671 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-47671? Upgrade
github.com/nhost/nhostto 0.0.0-20260518172022-e407511627d2 or later.